On Sunday, July 08, 2012 7:54:40 am Dan Lukes wrote:
> 
> >Submitter-Id:        current-users
> >Originator:  Dan Lukes
> >Organization:        Obludarium
> >Confidential:        no 
> >Synopsis:    [ patch ] improper handling of ACPI TCPA table, acpidump abend 
imminent
> >Severity:    serious
> >Priority:    medium
> >Category:    bin
> >Class:               sw-bug
> >Release:     FreeBSD 9.0 i386
> >Environment:
> System: FreeBSD 9.0
> src/usr.sbin/acpi/acpidump/acpi.c,v 1.42.2.1.2.1
> 
> but apply for all revisions past 1.38 (e.g. all RELENG_9 and HEAD)
> 
> >Description:
>       TCG ACPI (TPCA) support added as SVN rev 211196
> 
> 1. event->event_type and event->event_size are big-endian (see TPCA PC 
Specific Specification, paragraph 7.2.2.2). Current code use them directly. It 
cause misinterpretation of values and may cause abend.
> 
> 2. 'if (vaddr + event->event_size >= vend )' test is insufficient because:
> 
> 2a) event->event_size is declared signed and may be negative (especialy when 
big-endian value used without proper conversion)
> 2b) vaddr+event->event_size may overflow / wrap around even in the case the 
event_size is positive
> 
> in both cases, memory outside of <vaddr,vend> range may be referenced. Abend 
is imminent.
> 
> >How-To-Repeat:
> Dump non-empty TCPA table. It will print events incorrectly, may abend.
> 
> >Fix:
> 
> 1. use ntohl() to convert event->event_size and event->event_type before use
> 2. test vaddr + eventdatasize for wraparound/underflow case also 

It might be best to use betoh() macros from <sys/endian.h> instead of nthol().

-- 
John Baldwin
_______________________________________________
freebsd-acpi@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-acpi
To unsubscribe, send any mail to "freebsd-acpi-unsubscr...@freebsd.org"

Reply via email to